Accelerating Software Security With HPRob RoyFederal CTOHP Software

Mike McConnellFormer DNI, NSA.Head of Booz Allen HamiltonNational Security Business

“If we were in a cyberwartoday, the United States would lose.”

SOURCE: TESTIMONY TO THE SENATE COMMERCE COMMITTEE HEARING ON CYBERSECURITY, 2/23/2010

2

SECURITY SPENDING CONTINUES TO CLIMB…

1Info-Tech Research Group , November 15, 2006 baseline, 30% growth in 20072U.S. Office of Management & Budget, March 11, 20083Gartner Symposium/ITxpo, October 10, 2007

$79 Billion U.S. IT Security spend, 20071

$7.3 Billion IT security allocation in

2009 U.S. Federal Budget2

$288 BillionGlobal IT Security spend, 20073

…BUT THE BAD NEWS PILES UP EVEN FASTER

Applications are the focus… • The number and costs of breaches continue to rise

• 80% of successful attacks target the application layer (Gartner)

• 86% of applications are in trouble• Web App Security Consortium studied security tests across 12,186 applications• 13% of applications could be compromised completely automatically• 86% had vulnerabilities of medium or higher severity found by completely automated

scanning

$202

Total average cost of a data breach per

compromised record*

30,000

Average # of compromised records

per breach^

X $6.65 M

Average Total Cost per breach*

* Ponemon Institute, 2008 Annual Study: $U.S. Cost of a Data Breach ^Source: The Open Security Foundation

~~

…Yet WE HAVE A false sense of security• Walls don’t work. They protect the network, not the assets

Desktop A/V

VPN, A/V

Mobile Security

Firewalls

Email Gateways

Web Gateways

DLP

Proxies

IPS/IDS

Web App Firewall

DB Firewall

Server A/V

Identity & Access

The Incident• Breach reported Jan 2009• 94M credit records stolen• Fines levied to banks > $6M• Total cost of damages / loss > $140M

Cybercrime case study

3rd largest US payment processer

The Attack• Personnel application attacked by SQL Injection• Attackers inject code into data processing network• Credit card transactions stolen

The Conclusion

• Time to Reprioritize • 80% of Attacks are at the Software layer• 0.6% of IT Security Spend is on Software Security

The Spend must be re-allocated to favor Software Security

• Software Security is a Cross Functional Problem• Security Must Provide Assurance • Vulnerabilities Must be Addressed in Development• Operations involved with Deployment Solutions

8

Today, Software is EverywhereUsers demand their applications anywhere, anytime

On Premise: desktops and servers

On Demand: cloud and hosted

On The Go: laptops and mobile devices

Today’s Approach > Expensive, Reactive

$We convince & pay the developer to fix it

4$$We are breached or pay to have someone tell us our code is bad

3Somebody builds bad software

1In-house Outsourced Commercial Open source

IT deploys the bad software

2

A Safer, More Cost Effective Approach

Existing or newly created software 1

Good code

Bad code

This is Software Security Assurance

In-house Outsourced Commercial Open source

Security Gate: determine if it is resilient before production

2

Work with the developer to locate and fix vulnerabilities

3

Security in the lifecycle• Making security a part of everything that you do

Footer goes here

HP Fortify Application Security Center

HP Web Security Research Group

• Internal app security research• External hacking research

Centralized Management, Governance, Reporting

Source code validation

QA & Integration Testing

Production Assessment

Static & Dynamic Dynamic AnalysisStatic Analysis

Continuous Updates

Security Requirements

Industry’s most comprehensive IT management portfolioHP Software BTO portfolio

Business outcomes

Project & PortfolioManagement

Center

CIO Office

CTO Office

SOACenter

SAP, Oracle, SOA, J2EE, .Net

QualityCenter

PerformanceCenter

Application Security Center

Application lifecycle

Business servicemanagement

IT service management

Business Availability Center

Operations Center

Network Management

Center

Service Management

Center

Client Automation

Center

Data Center Automation

Center

Business service automation

Universal CMDB

Operations Orchestration

STRATEGY APPLICATIONS OPERATIONS

Service portfolio management

Software-as-a-Service

Through powerful automation and flexible management toolsManaging Application Security Risk

Proactive Management

Security Testing Monitoring and Defense

HP Fortify SCA HP WebInspectHP Fortify PTA HP QAInspect HP Fortify RTA

Collaborative Remediation

HP Fortify Collaboration module

Threat Intelligence

HP SecureBaseHP Fortify Secure Coding Rulepacks

HP Fortify Audit WorkbenchIDE Plugins

HP Assessment Management Platform HP Fortify Governance moduleHP Fortify 360 Server

Pillars for Success

15

Requirements for transformative changes throughout the organization

Software Services

Fortify ServicesIndustry-tested methodology to help you meet your SSA goals

Assessments

Software Security Strategy and Planning

SSA Pilot and Implementation

SSA Center of Excellence

Framework*SSA

Methodology

Progress Metrics Assets

Program Management

Templates & Resources Experts

Technology Security Research

MatureAdopt OptimizePilot

SSA TeamAssess

In-House

Packaged

Custom

Open Source

Outsourcers

None Understanding Reducing Minimizing

Services

The fastest, easiest way to quickly assess software risk

Protect your investment - integrates with Fortify360 as your software security program expands

Greatly reduces time to meet compliance with government and industry regulations

HP Fortify on Demand

FeaturesFast, accurate results without hardware or software set up

Prioritized, correlated static and dynamic results with remediation guidance

Can be used standalone or with F360

Hosted security testing solution for all software

Saves valuable development time and costs by pinpointing vulnerabilities during development

Developers spend more time on innovation rather than patches after code is deployed

Increases organization efficiency and improve communication

HP Fortify SCA

Features• Pinpoint root cause of vulnerabilities – line of code

detail• Prioritize fixes sorted by risk severity• Detailed “fix” instruction -- in the development

language

Security Analysis for Development

Find more security issues faster during current QA processes

Simplifies remediation and associated costs with IDE integration

Lowers risk with correlated results from static and dynamic analysis

Features• Works within existing QA test suite -- no

disruption to current processes • Provides precise results -- exact line of code• Easy deployment -- no customization or

expertise required

HP Fortify PTASecurity Analysis for Quality Assurance

Blocks attacks to minimize security risks in deployed applications

Provides an immediate solution to help meet PCI, DIACAP, OWASP and HIPAA compliance

Protects while providing vulnerabilities root cause in a real-world context.

Features• Accurate responses to attacks – automatically –

and without tuning• Extensive rules for common vulnerabilities• Simple and easy set up -- no training, modeling or

coding required

HP Fortify RTASecurity Analysis for Production Software

Reduces the costs of managing securityprograms

Optimizes the investment in SDLC program byautomatically generating requirements basedon software profile risk

Keeps developers focused on innovation andtime to market vs. “managing” security

Features• Web-based SSA dashboard with project and

program level visibility• Centralized risk profile manager maintains

complete application inventory• Automated assignment of the correct risk-

mitigation activities based on risk profiles

HP Fortify GovernanceSecurity Management for Policy and Compliance

Control application security risk across the enterpriseHP Assessment Management Platform

• Scale application security• Manage application security programs• Enable Security Center of Excellence

• Extend security across the application lifecycle• Share knowledge and best practices

• Increase visibility and control• Quantify application security risk• Add asset, data and business context to

security• Trend reporting and analysis• Govern compliance/policies across

the enterprise• Available as SaaS

Accelerate security through more actionable informationHP WebInspect

• Accelerate vulnerability detection• Test more applications in less time

• Provide more actionable information• Focus on what really matters

• Increase technology coverage• Assurance in testing the latest

technologies for the latest vulnerabilities

• JavaScript, Ajax, Flash, Oracle ADF• Backed by HP Web Security

Research Group • Facilitate vulnerability remediation

• Extensive remediation description, steps, code samples & role based content

• Improve security knowledge• Security expertise within the

solution

Empower QA teams with embedded security testingHP QAInspect

• Bring security process into ALM• ‘Build it in’ rather than ‘bolt in

on’• Lower cost of attaining security

• Earlier vulnerability detection• Lower application risk

• Build secure code, find defects early

• Integrate dynamic security testing into test planning, QM environment• Familiar environment for QA

professionals• Increase QA team value

• Security testing without being security experts